On Fri, Jun 05, 2026 at 01:50:57PM -0700, Stephen Hemminger wrote:
> While looking into extending telemetry for other uses, I noticed a
> pattern of unsafe string handling in the command handlers. They run one
> thread per client connection but parse parameters with non-reentrant
> strtok(), and convert ids with atoi()/unchecked strtoul() that silently
> truncate or alias out-of-range values; in eth_rx the strtok()
> continuation chain can also dereference freed memory.
>
> This series covers the library code (telemetry, ethdev, dmadev, security,
> eventdev, eth_rx, timer). A follow-up is needed for the same strtok()
> use in drivers.
>
> They are marked for stable: the races and the use-after-free are real and
> the changes are low-risk to backport. But severity is low since telemetry is
> not a remote interface, but these are the kind of issues likely to
> be found by AI security scanning tools.
>
> In future, atoi() and strtok() look worth adding to the forbidden
> tokens list in devtools/checkpatches.sh.
>
> Stephen Hemminger (8):
> telemetry: fix thread-unsafe command parsing
> ethdev: make telemetry parameter parsing thread-safe
> dmadev: validate telemetry parameters
> security: harden telemetry parameter parsing
> eventdev: remove strtok from telemetry handlers
> eventdev/eth_rx: fix thread-unsafe telemetry parsing
> eventdev/eth_rx: reject out-of-range telemetry adapter ID
> eventdev/timer: reject out-of-range ID
>
Series-Acked-by: Bruce Richardson <[email protected]>
